Certified by the BSI to BS 10012:2017 for data protection in alignment with GDPR

GDPR Program Overview – Verifiable Trust
The goal of the iland General Data Protection Regulation (GDPR) program is to ensure that customers (Controller entities) have assurances of regulatory oversight as well as the ability to perform direct audits of iland as defined under Article 28 of the GDPR regulation.

It is important to understand that GDPR is not just an IT function but a high-level organizational activity that encompasses the entirety of an organization, from IT through Marketing to Development and Quality Assurance through the very end user, the Data Subject.

iland’s approach to EU General Data Protection Regulation (GDPR) is based on the following frameworks, certifications and attestations along with legal and governance oversight:

Risk, Privacy and Security
At the foundational level iland operates in accordance with international standards around privacy and security. These foundational pieces include:
iland achieves BSI Certification for Data Protection
iland is one of the first UK organisations certified by the British Standards Institution (BSI) to the global data protection scheme – BS 10012:2017, demonstrating that we are proactively protecting data and managing personal information securely and effectively both within our organisation and for data stored in the iland secure cloud.

BS 10012:2017 specifies the requirements for an organization to adopt a Personal Information Management System (PIMS). A PIMS provides a framework for maintaining and improving compliance with data protection. The standard was revised recently to align with the key principles of the GDPR, which became law on 14 April 2016 and will be mandated from 25 May 2018.

ISO 27001:2013
A systematic approach to managing sensitive information so that it remains secure. It includes people, processes and IT systems by applying a risk management processes and third-party oversight.

Program elements include the following areas: information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security system acquisition, development and maintenance, supplier relationships, information security incident management, information security aspects of business continuity management and Compliance; with internal and external requirement such as policies, laws and regulations.

CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.

CSA STAR conforms with ISO 17021:2011 Conformity Assessment, ISO 27006:2011 Information technology – Security techniques and ISO 19011 Guidelines for auditing management systems

SSAE 16/18 SOC2
The SSAE 16/18 SOC2 mirrors the ISAE 3402 auditor process and is used to ensure that organizations are performing in accordance with what is referred to as Trust Principles. Trust Principle under SOC2 related to Risk, Security and Privacy are Security, Confidentiality and Privacy.
Cyber Essentials
Cyber Essentials is an annual UK government framework set of security controls to protect information from internet-facing threats and breaches and includes reviews of organizational firewalls, data services, virus and threat management and patching practices.

Ready for GDPR?
Hear from our VP of Governance, Risk and Compliance about how to prepare

The iland Approach
iland has taken an aggressive risk-based approach utilizing ISO 27001, SOC2, BS 10012:2017 and CSA standards to ensure proper governance and management of risk and security for all data collection and processing.

Additionally, customers of iland are encouraged to review all iland third-party auditor findings as well as details of our GDPR and other compliance programs. These are made available to ensure that transparency of the Processor operations is aligned with the Controller’s needs.

Service Management
With the rigor of Risk, Privacy and Security it is easy to lose sight of the goal of delivering services. iland has identified the need to ensure that the structure of the GDPR program does not adversely affect the service offerings by ensuring that one of the pillars of the GDPR program is Service Management. The components of this program are:
SSAE 16/18 SOC2
As noted previously, SSAE 16/18 SOC2 mirrors the ISAE 3402 auditor process and is used to ensure that organizations are performing in accordance with Trust Principles. For Service Delivery, Availability and Processing Integrity are reviewed.

Using the SSAE 16/18 SOC2 standards iland maintains visibility into its ability to deliver services in accordance with contractual requirements and once again validates this through external third-party audits.

IT Framework
The third pillar of the iland GDPR program is the usage of standardized frameworks. This allows for the repeatable and documented output from the elements that compose services offered by iland. The following frameworks are actively utilized:
ITIL v2011
The ITIL (Information Technology Infrastructure Library) framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels.
Agile Software Development
Agile software development describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. It advocates adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.

Within the usage of these frameworks Risk, Privacy and Security are incorporated, as an example, privacy by design has been incorporated into the Agile framework at all levels and is actively overseen by the iland GDPR program office. The same efforts occur around ITIL activities to ensure that process and policies conform to the requirements of GDPR.

Finally, to validate and oversee GDPR program activities, Legal and Governance which covers contractual formulation of Controller/Processor agreements, the use of Model Contract Clauses, (where applicable), EU/US Privacy shield and Binding Corporate Rules (BCR) for internal iland data are managed.

This pillar of the GDPR program also ensures that Controller oversight, through the use of logging, audit artifact generation and customer performed audits is managed, giving customers a dedicated resource to interface with. This segment of the program also employees the Data Protection Officer (DPO) to provide linkage between the customer’s DPO and the iland DPO to manage Data Subject Requests as well as breach processes and notifications.

iland Data Protection Officer (DPO) Contact Information:
Office of the Data Protection Officer
ATTN: Frank Krieger

US Office of the DPO:
1235 N. Loop W, Houston, TX 77008, United States
UK Office of the DPO:
24/25 The Shard, 32 London Bridge Street London, SE1 9SG, United Kingdom

All of iland’s data centers are SSAE 16 compliant and/or ISO 27001 certified.
And iland platforms across the United States are SOC2 compliant.

aicpa socssae 16iso27001

Expert Compliance Services
The iland Secure Cloud platform provides many of the control mechanisms and reporting needed to address compliance requirements. However, both configuring the environment according to your needs – and sifting through the paperwork of an audit – is best done hand-in-hand with an iland certified compliance professional.

Learn more

Join the companies doing great things with iland

UK Client Testimonials